The IPSec Offload Solution

Keeping pace with encryption technology is important, but increased security demands a high price in terms of processing power. As an alternative to pricey, performance-enhancing accelerator cards, which start at about $2000, Windows 2000 (Win2K) offers built-in IP Security (IPSec) support that lets you create secure encrypted channels between network computers and dumps the processing overhead to a NIC that supports IPSec offloads. IPSec offers a comprehensive layer 3 solution and provides transparent encryption/decryption of all IP traffic. (For more information about Win2K's IPSec support, see Tao Zhou, "IP Security in Windows 2000," http://www.win2000mag.com/articles, InstantDoc ID 7976.)

With the availability of ever-increasing processing power, encryption algorithms have necessarily become more sophisticated to prevent brute-force cracking. Higher encryption levels increase security but result in performance degradation on host computers that process intensive encryption/decryption calculations. This load is noticeable on a machine supporting one IPSec security association (SA) and can cripple performance on a server hosting numerous SAs. The performance degradation from even one Triple Data Encryption Standard (3DES) SA can cause problems in a performance-sensitive process, such as Voice over IP (VoIP).

On a server with additional processor slots, more power is one solution to this type of performance problem. Another option is to invest in a specialized accelerator card with an application-specific integrated circuit (ASIC) that can offload cryptographic calculations. (For a review of one available accelerator, see Mark Joseph Edwards, "CryptoSwift II," Summer 1999.) However, both alternatives can become expensive, and neither choice is practical for desktops.

For organizations that have deployed Win2K, a third, relatively inexpensive solution exists: support for what Microsoft calls IPSec offloads. Win2K's network device interface specification (NDIS) 5.0 driver transfers processor-intensive encryption/decryption calculations to a hardware device that supports those functions. This process leverages Win2K's available functionality and makes implementation at the desktop level affordable. Intel and 3Com are the first vendors to incorporate this support into their NICs. In June 1999, 3Com released its 3CR990-TX-97, which includes an encryption coprocessor for IPSec offloads. At the Win2K launch in February, 3Com announced the release of the 3CR990SVR EtherLink Server 10/100 PCI NIC for servers. This model offers an additional 256KB of memory to support the multiple SAs that a server might require. For an investment of $139 (or less) per NIC, you can realize measurable performance gains when using IPSec.

Even if your organization doesn't immediately move to Win2K, specify encryption-coprocessor NICs for all your hardware purchases. These NICs function as standard 10/100 NICs when you install them in Windows NT PCs, and 3Com is developing IPSec software solutions that will utilize the NIC's IPSec offloading functionality for NT 4.0 and Windows 9x clients. Even if you don't plan to implement IPSec, Win2K PCs that use 3Com's 3CR990 NICs can offload other network-related processes, such as TCP segmenting and TCP/IP checksum calculations. (3Com claims that you can realize a 10 to 15 percent CPU load reduction by using the offload feature.)

Cryptographic accelerator cards are still the choice for high-end e-commerce servers because these cards can support a much higher level of transactions per second than the NICs can. But for Win2K servers in other roles and for Win2K and Win9x desktop machines, a $139 NIC is an inexpensive way to combine security and performance. And with secure channels moving your sensitive data across potentially hostile networks, you can remove at least one security headache.